The issue I found with the product revolves around the fact that RDP and SSH sessions take too much time, making it an area of concern where improvements are required. The product should be able to handle RDP and SSH sessions in a span of ten to fifteen seconds.
Presales manager at a security firm with 11-50 employees
Real User
Top 20
2023-09-11T16:04:06Z
Sep 11, 2023
The integration of the solution with many platforms is a difficult area to manage and needs to be made easy. For example, I don't think BeyondTrust Privileged Remote Access works with products from Sophos.
The solution's access process for third-party vendors needs to be simplified. It should eliminate the process of installing client applications on users' machines for better security. Instead, we can publish a URL link for them. Also, its web interface needs enhancement as well.
Firstly, when doing protocol panel jumps, the tool does not restrict what is recorded on the user's computer. So if a user has, let's say, three desktop monitors, the tool will expand to the entire desktop and record everything that happens on those screens, and not in the PRA window alone. Since a lot of people hold sensitive information outside of the PRA window, this creates some friction because they do not want that information recorded. Restricting the recording to the PRA window during a protocol tunnel jump will be an improvement. The second improvement is that PRA could be more flexible with privilege elevation on Linux endpoints. The third improvement is that PRA should have more connectors for the most common applications it integrates with.
Improvement-wise, I would like to look at the assessment results. Some of the capabilities in the solution were not as available or not as outstanding as CyberArk. We had to manage whatever little was available for us, especially its recording capabilities, logs, and a number of things.
Multiple areas can be improved. We've seen lots of updates in the past year. They have a portal where we can submit our ideas. BeyondTrust is immediately implementing user suggestions. The UI could be more informative. Initially, there were two or three connectors, and now we have five or six. It would be nice if they added a few more connectors for third-party integration. There are multiple tools, but the clients may require more for their convenience.
Learn what your peers think about BeyondTrust Privileged Remote Access. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
At the moment, I don't see any major problems with it. If anything, they can just change the look and feel of the login screen because it looks too simple to me. It does not have so much information. When you get to the login screen of the solution, you should have more information. We also have BeyondTrust Remote Support, and the login page looks similar to BeyondTrust Privilege Remote Access. I would love to see more rich information on the login screen or landing page so that rather than having a regular sign-in screen or page where you just provide a username and password and get into the solution, you should have more insight into what the solution does. I've mentioned this to them every time I have had an opportunity.
I would love to have a web console and the ability to use the smart card with the web console to provide remote support. If you are on a computer that doesn't have the Bomgar console, you should be able to use the web console to provide support. That's the only thing right now. A web console is nice when you're jumping into a computer, but if you need to elevate the privileges, you currently can't do it with the smart card. If they could figure that out, that would be money. One thing that's confusing is the way of setting up group policies and permissions. It is very complicated. There are a lot of small pieces to it. The way they have set everything up is weird. I'm sure there is a reason for that, but I feel it should be a lot easier to provide different permissions and things like that.
IT Specialist at a comms service provider with 11-50 employees
Real User
2022-07-11T15:49:00Z
Jul 11, 2022
The integration client, backup solution, and SSO setup and provisioning could be improved. There isn't any documented or supported user provisioning currently, which slows down the processes of onboarding and assigning permissions. I would like to see this improved soon. The Vault could use some attention, specifically in managing named administrative accounts. I have to assign permissions to my named admin account during sessions manually, but I think that should be the default. Admin account permissions could use some more automation and be adjusted to be more user-centric. BeyondTrust could improve text-based auditing; it's not very readable. I can get the details through the jump client and other tools, but if I run a simple PowerShell command, the solution generates multiple lines for that specific session in the text audit, which doesn't make sense.
Sr Technical Product Manager (Sr. Consultant at Computronix) at Computronix
Consultant
2022-06-25T18:44:00Z
Jun 25, 2022
In terms of improvement, there are two things that come to mind. One is just in terms of the API interface, which needs some work. In terms of the ability to automate the creation of new accounts within it, it's still a bit laborious. The other piece that I would say I've been pushing for this whole period is simply to save a reason for access to the audit file as it's one of the requirements in NIST 800-53. It's been a pain working around that one, even though it's somewhat trivial.
Sr Cyber Security Manager at Honeywell International Inc.
Real User
2022-06-01T10:56:00Z
Jun 1, 2022
We have been having some problems as of late. One of our gaps or pain points is having multi-factor authentication at the endpoint and using the PRA password injection from BeyondTrust, which does not work in our environment. We can only have MFA at the login of BeyondTrust to check out the password. Therefore, we can't meet our security requirements of having it on the endpoint. The solution's Vault seems to do what we need. It has some gaps when it is trying to process the password through multiple applications. If it fails, it doesn't notify us that it has failed. So, we only find that failure when we have an escalation or have to go back through to see what has happened, e.g., why the password didn't reset accurately. While it has some gaps, it works for the scenario that we need for the most part. When we decided on this solution, it was extremely important to us that PRA was available in multiple formats, such as a physical and virtual appliance or as SaaS. Unfortunately, we can't use PRA because of our environment, which was disheartening. When we were sold the tool, they said that we could, but we can't because our environment is highly customized. We have so many use cases that it is not a feature that can be used across platforms for us. We use PI and PRA together. If someone has checked out an account in PI, the session is open, and PI closed or checked back that account. Then, someone else checks out an account that is still active in a session, which causes multiple lockouts.
Information Technology Operations Manager at a educational organization with 5,001-10,000 employees
Real User
2022-04-27T18:25:00Z
Apr 27, 2022
Its management is through two different portals, and you can't get from one portal to the other. I have to literally open up another website and go into it a different way. There are no inner links between the two. They should interlink the actual virtual server and the appliance. In general, there should be one interface for management for admins.
Sr. Systems Administrator at Rayburn Country Electric Cooperative, Inc.
Real User
2022-03-02T22:45:00Z
Mar 2, 2022
It is too much of a fortress. It is difficult for us to report on compliance when I need to check for that device. For instance, I need to monitor what version that device is on, and it is quite complicated for us to do that. You can't connect to it traditionally and that is by design. While they have made some improvements in their API connectivity, it is just not quite what I would really like. It requires me to kind of apply some aftermarket steps in order to get what I need. There is no connectivity to the appliance side. There is no API, and it is just difficult for me to capture what version the device is on without going in and doing screenshots. It is a little too secure in that regard, where they don't even trust their product owner. Since a lot of hacks come from the inside, they are probably doing what they need to do out of necessity. It is just that I have to work pretty hard to produce compliance data on the box. You can usually API into something and get whatever you need. Or, you can have an SSH saying, "Do whatever you need. Just do a Git version command." There is none of that with BeyondTrust. However, this is the least of my concerns compared to whatever it grants us in freedom for all our security compliance requirements that it helps us meet.
I cannot say that the solution is lacking any features. It has everything we need right now. They could probably integrate a wizard or something like that to add a new use case. It could be something that makes it easier to add a new use case. That's something they could probably improve. I'm not sure about this, however, as the direction is anyway going more and more in the direction of automation. That said, for a beginner customer who is starting from scratch, probably a wizard would be a good feature to add. The on-premises version is not as easy to set up as a cloud deployment,
IAM Senior Solutions Architect at a tech services company with 1,001-5,000 employees
Real User
2021-02-10T18:49:11Z
Feb 10, 2021
It would be very nice if it has an enterprise vault. Currently, it can interact with Password Safe, which is a separate solution and equivalent to Thycotic Secret Server. Instead of having Password Safe as a separate entity, they should combine it with BeyondTrust Privileged Remote Access. They have done it in some way, but it is not an enterprise tech solution.
Changing your password should be simplified, and there should not be a charge for it. For every server that we are supporting, we have an administrator password to log in. This is for remote access and remote support, and we do not like to give this password to the local support people. I would like to be able to assign a dedicated password that can be used only for one day. There are other products that can do this.
BeyondTrust Privileged Remote Access (formerly Bomgar Privileged Access) lets you secure, manage, and audit vendor and internal remote privileged access without a VPN.
Privileged Remote Access provides visibility and control over third-party vendor access, as well as internal remote access, enabling your organization to extend access to important assets, but without compromising security.
Features include:
- Privileged Access Control: Enforce least privilege by giving users the right level...
The issue I found with the product revolves around the fact that RDP and SSH sessions take too much time, making it an area of concern where improvements are required. The product should be able to handle RDP and SSH sessions in a span of ten to fifteen seconds.
The integration of the solution with many platforms is a difficult area to manage and needs to be made easy. For example, I don't think BeyondTrust Privileged Remote Access works with products from Sophos.
The solution's access process for third-party vendors needs to be simplified. It should eliminate the process of installing client applications on users' machines for better security. Instead, we can publish a URL link for them. Also, its web interface needs enhancement as well.
Firstly, when doing protocol panel jumps, the tool does not restrict what is recorded on the user's computer. So if a user has, let's say, three desktop monitors, the tool will expand to the entire desktop and record everything that happens on those screens, and not in the PRA window alone. Since a lot of people hold sensitive information outside of the PRA window, this creates some friction because they do not want that information recorded. Restricting the recording to the PRA window during a protocol tunnel jump will be an improvement. The second improvement is that PRA could be more flexible with privilege elevation on Linux endpoints. The third improvement is that PRA should have more connectors for the most common applications it integrates with.
Improvement-wise, I would like to look at the assessment results. Some of the capabilities in the solution were not as available or not as outstanding as CyberArk. We had to manage whatever little was available for us, especially its recording capabilities, logs, and a number of things.
Multiple areas can be improved. We've seen lots of updates in the past year. They have a portal where we can submit our ideas. BeyondTrust is immediately implementing user suggestions. The UI could be more informative. Initially, there were two or three connectors, and now we have five or six. It would be nice if they added a few more connectors for third-party integration. There are multiple tools, but the clients may require more for their convenience.
At the moment, I don't see any major problems with it. If anything, they can just change the look and feel of the login screen because it looks too simple to me. It does not have so much information. When you get to the login screen of the solution, you should have more information. We also have BeyondTrust Remote Support, and the login page looks similar to BeyondTrust Privilege Remote Access. I would love to see more rich information on the login screen or landing page so that rather than having a regular sign-in screen or page where you just provide a username and password and get into the solution, you should have more insight into what the solution does. I've mentioned this to them every time I have had an opportunity.
I would love to have a web console and the ability to use the smart card with the web console to provide remote support. If you are on a computer that doesn't have the Bomgar console, you should be able to use the web console to provide support. That's the only thing right now. A web console is nice when you're jumping into a computer, but if you need to elevate the privileges, you currently can't do it with the smart card. If they could figure that out, that would be money. One thing that's confusing is the way of setting up group policies and permissions. It is very complicated. There are a lot of small pieces to it. The way they have set everything up is weird. I'm sure there is a reason for that, but I feel it should be a lot easier to provide different permissions and things like that.
The integration client, backup solution, and SSO setup and provisioning could be improved. There isn't any documented or supported user provisioning currently, which slows down the processes of onboarding and assigning permissions. I would like to see this improved soon. The Vault could use some attention, specifically in managing named administrative accounts. I have to assign permissions to my named admin account during sessions manually, but I think that should be the default. Admin account permissions could use some more automation and be adjusted to be more user-centric. BeyondTrust could improve text-based auditing; it's not very readable. I can get the details through the jump client and other tools, but if I run a simple PowerShell command, the solution generates multiple lines for that specific session in the text audit, which doesn't make sense.
In terms of improvement, there are two things that come to mind. One is just in terms of the API interface, which needs some work. In terms of the ability to automate the creation of new accounts within it, it's still a bit laborious. The other piece that I would say I've been pushing for this whole period is simply to save a reason for access to the audit file as it's one of the requirements in NIST 800-53. It's been a pain working around that one, even though it's somewhat trivial.
We have been having some problems as of late. One of our gaps or pain points is having multi-factor authentication at the endpoint and using the PRA password injection from BeyondTrust, which does not work in our environment. We can only have MFA at the login of BeyondTrust to check out the password. Therefore, we can't meet our security requirements of having it on the endpoint. The solution's Vault seems to do what we need. It has some gaps when it is trying to process the password through multiple applications. If it fails, it doesn't notify us that it has failed. So, we only find that failure when we have an escalation or have to go back through to see what has happened, e.g., why the password didn't reset accurately. While it has some gaps, it works for the scenario that we need for the most part. When we decided on this solution, it was extremely important to us that PRA was available in multiple formats, such as a physical and virtual appliance or as SaaS. Unfortunately, we can't use PRA because of our environment, which was disheartening. When we were sold the tool, they said that we could, but we can't because our environment is highly customized. We have so many use cases that it is not a feature that can be used across platforms for us. We use PI and PRA together. If someone has checked out an account in PI, the session is open, and PI closed or checked back that account. Then, someone else checks out an account that is still active in a session, which causes multiple lockouts.
Its management is through two different portals, and you can't get from one portal to the other. I have to literally open up another website and go into it a different way. There are no inner links between the two. They should interlink the actual virtual server and the appliance. In general, there should be one interface for management for admins.
It is too much of a fortress. It is difficult for us to report on compliance when I need to check for that device. For instance, I need to monitor what version that device is on, and it is quite complicated for us to do that. You can't connect to it traditionally and that is by design. While they have made some improvements in their API connectivity, it is just not quite what I would really like. It requires me to kind of apply some aftermarket steps in order to get what I need. There is no connectivity to the appliance side. There is no API, and it is just difficult for me to capture what version the device is on without going in and doing screenshots. It is a little too secure in that regard, where they don't even trust their product owner. Since a lot of hacks come from the inside, they are probably doing what they need to do out of necessity. It is just that I have to work pretty hard to produce compliance data on the box. You can usually API into something and get whatever you need. Or, you can have an SSH saying, "Do whatever you need. Just do a Git version command." There is none of that with BeyondTrust. However, this is the least of my concerns compared to whatever it grants us in freedom for all our security compliance requirements that it helps us meet.
I can't think of any specific improvements because the product is already so rich.
I cannot say that the solution is lacking any features. It has everything we need right now. They could probably integrate a wizard or something like that to add a new use case. It could be something that makes it easier to add a new use case. That's something they could probably improve. I'm not sure about this, however, as the direction is anyway going more and more in the direction of automation. That said, for a beginner customer who is starting from scratch, probably a wizard would be a good feature to add. The on-premises version is not as easy to set up as a cloud deployment,
It would be very nice if it has an enterprise vault. Currently, it can interact with Password Safe, which is a separate solution and equivalent to Thycotic Secret Server. Instead of having Password Safe as a separate entity, they should combine it with BeyondTrust Privileged Remote Access. They have done it in some way, but it is not an enterprise tech solution.
Changing your password should be simplified, and there should not be a charge for it. For every server that we are supporting, we have an administrator password to log in. This is for remote access and remote support, and we do not like to give this password to the local support people. I would like to be able to assign a dedicated password that can be used only for one day. There are other products that can do this.